Privacy Policy
Last updated: June 2, 2026
1. Controller
The controller for this website, account management, billing, product, support, security, and marketing processing is Sine Aspera Ad Astra GmbH i.G., Adalbertstraße 56, 80799 Munich, Germany, represented by its managing director Felix Graeber. Commercial register entry pending at Amtsgericht München.
Email: contact@invoice-converter.com. No Data Protection Officer has been appointed because the statutory appointment requirements are not currently met.
2. What We Process
Website and security data: IP address, request metadata, timestamps, user agent, referrer, cookie consent state, rate-limit events, security events, error logs, and correlation IDs. Legal basis: Art. 6(1)(f) GDPR.
Account and billing data: email address, authentication identifiers, plan, subscription status, API-credit balance, Stripe customer and invoice references, language preferences, and service communications. Legal basis: Art. 6(1)(b), Art. 6(1)(c), and Art. 6(1)(f) GDPR.
Invoice conversion data: uploaded documents, extracted invoice fields, supplier and customer names, addresses, tax IDs, VAT IDs, IBAN/BIC, line items, amounts, generated XML/PDF artifacts, validation proofs, hashes, diagnostics, and support/debug bundles where needed to provide the requested workflow.
External API data: tenant IDs, API key IDs, API key prefixes, idempotency keys, request hashes, endpoint, method, status, correlation IDs, usage and audit events, rate-limit denials, credit-ledger events, filenames where supplied, format/profile/jurisdiction hints, and technical metadata needed for authentication, billing, security, troubleshooting, and idempotent retries. Plaintext API keys are not intentionally stored after creation.
Analytics and session replay: only after consent, we use product analytics and session replay to understand product usage and improve the Service. We configure analytics to avoid invoice content and do not use invoice content for product analytics.
Marketing: promotional email is sent only where permitted by law, including consent or an applicable existing-customer exception. You can unsubscribe at any time. Service, security, billing, and transactional emails are not marketing.
3. Processing on Behalf of Customers
For business customers, invoice content is usually processed by us as processor on the customer's behalf. The customer remains responsible for the lawfulness of uploaded invoice data, data minimization, source-data accuracy, review, delivery, archiving, and final legal, tax, or accounting decisions. Our Data Processing Agreement governs this processing where Art. 28 GDPR applies.
Customer invoice content is used only to provide, secure, troubleshoot, support, and operate the Service and to comply with legal obligations. It is not used for model training, reusable datasets, benchmarking, or product analytics unless the customer gives explicit written permission.
4. Subprocessors and Transfers
We use subprocessors for hosting, security, AI/OCR processing, authentication, storage, billing, email, analytics, and error telemetry. Depending on the workflow, providers may include Vercel, Koyeb, Cloudflare, Supabase, OpenAI, Mistral AI, Google Ireland/Google LLC, Stripe, Brevo, PostHog, and Sentry.
Processing is intended to use EU infrastructure where available, but we do not promise Germany-only or EU-only processing. Third-country transfers may occur, for example through AI providers, security providers, support access, telemetry, or global network infrastructure. Where required, we rely on Standard Contractual Clauses and additional safeguards.
5. Retention
| Data | Standard retention |
|---|---|
| Terminal processing tasks | Usually available for about 10 minutes after completion or failure. |
| External API idempotency records | 24 hours by default. |
| Generated artifacts, validation proofs, and diagnostics | Temporarily retained where needed for async processing, download, strict validation proof, restart recovery, or troubleshooting. Debug bundles are retained for up to 14 days by default. |
| Security, application, and audit logs | Event logs are retained according to the deployed log-retention setting, currently expected to be 30 days unless changed. Aggregate logs may be retained longer, currently up to 365 days by default. |
| Account, contract, and billing records | For the account or contract term and then as required for statutory, tax, accounting, fraud-prevention, and dispute purposes. |
| Marketing preferences | Until unsubscribe, account deletion, or objection, with suppression records retained where needed to respect opt-outs. |
We do not operate a permanent central archive of uploaded customer invoice documents. Some records may be retained longer where required by law, to establish or defend legal claims, to investigate abuse or security events, or to maintain billing and audit integrity.
6. Your Rights
Subject to statutory requirements, you may request access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and withdrawal of consent. You may also lodge a complaint with a data protection authority, for example the Bavarian State Office for Data Protection Supervision.
7. Security and Incidents
We use HTTPS, access controls, role-based administration, least-privilege access, logging, tenant separation, secret handling, and provider-side infrastructure security controls. No internet service can be guaranteed completely secure.
We notify affected customers and authorities as required by law after confirming a relevant personal-data breach. Any timing targets are operational targets, not service credits or contractual penalties unless expressly agreed in writing.
8. Contact
Sine Aspera Ad Astra GmbH i.G.
Adalbertstraße 56, 80799 Munich, Germany
Email: contact@invoice-converter.com